--- title: "Threat Feeds Tab View" slug: "threat-feeds-tab" tags: ["Malicious Activity", "Threat Feeds", "Threat Intelligence"] updated: 2025-12-30T14:07:34Z published: 2025-12-30T14:07:34Z --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # Threat Feeds Tab View A domain, such as `example.com`, triggers a callback or phishing alert to your SIEM. Is it a fleeting hit, or is it chronically listed across feeds, signaling ongoing threats? Manual feed checks across sources fragment your hunt. The Threat Feeds view displays a timeline of when a domain or IP (e.g., URL) appeared in Total View threat intelligence feeds, either historically or currently. It highlights IOFA (Indicators of Future Attack) exposures via flags, such as ‘**Part of IOFA Feed**,’ which aggregates sources for risk patterns, including phishing or malware. Available for Domains and IPv4, this view pulls from Silent Push’s feed integrations, complementing Whois for ownership ties and PADNS for resolution context. Threat feeds expose malicious timelines, but disjointed views obscure persistence. It tracks first/last seen dates and spans, revealing behaviors like brief IOFA listings for emerging campaigns. The **IOFA Feed** flag identifies proactive risks, prompting deeper dives. Teams assess activity duration (e.g., 10 days on FIN7 feeds) and correlate it with [**Infrastructure Variance**](/v1/docs/infrastructure-variance) for infrastructure shifts, or use historical views for actor attribution, which is essential for SOC triage or defender monitoring. ## How It Works Silent Push’s aggregation engine compiles feed data in-house, creating gap-free timelines from third-party sources. Core fields (First Seen, Last Seen, spans) populate with ago calculations; the graph visualizes trends, with hovers revealing feed specifics (e.g., "TrafficAI Generated Websites Domains"). Feeds Historical View details entries, including IOFA ties. Basic Raw Data mode shows unprocessed listings (e.g., exact dates/sources) for audits. It links to other views; a recent listing here might align with PADNS anomalies, flagging takeovers. ## Generate a Set of Results Input a domain (e.g., grands sofa.site) in the search bar to open Total View, and click Threat Feeds. Timeline and fields load; expand Historical View for details, filter by date or feed, and toggle **Domain Wide View** for subdomains. ## Example Query `grands sofa.site`**in Threat Feeds**: Fields show First Seen 2025-09-29 (9 days ago), Last Seen 2025-10-08 (0 days ago), Listed Span 10 days. The **Part of IOFA Feed** flag highlights exposure. Historical View lists **Threat Actor - FIN7 Domains**(first seen 2025-09-29, last 2025-10-07), with a trend graph spiking to 2034 indicators (Last Updated 2025-10-08). Hover the red line for feed details: Description notes FIN7's financial targeting. ![Overview of threat feed details for grandsofa.site, highlighting significant indicators and trends.](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/Screenshot 2025-10-08 at 2.43.59 PM.png) ## Fields - **First Seen**: The initial date an Observable was detected on a threat feed (e.g., 2025-08-03). - **First Seen Ago**: The time elapsed since the first detection (e.g., 30 days ago). - **Last Seen**: The most recent date the observable was detected on a feed (e.g., 2025-09-01). - **Last Seen Ago**: The time elapsed since the last detection (e.g., 1 day ago). - **Listed Span**: The total duration the observable has been listed. ## Feeds Historical view The historical view provides a detailed log of specific feed entries and listing dates for analysis. For benign domains such as `example.com`, it may appear empty. It includes feed names (e.g., TrafficAI Generated Websites Domains), the first/last seen dates, and IOFA indicators. Hover lines on the timeline graph for expanded info: Feed source, description, and update timestamps. ## **Use Case** Track patterns, like FIN7 listings, are tied to actor TTPs. ## Work with Threat Feed Results It enables direct actions, such as copying fields, customizing columns (e.g., adding descriptions), or downloading CSVs for reports. Save to a Feed or Draft Feed to monitor listings, like IOFA spikes. > [!NOTE] > Tips > > - Input a suggested domain to populate **First Seen**, **Last Seen**, and **Listed Span** fields. > - Use the **Feeds Historical View** to track feed-specific activity over time. > - Correlate with [PADNS](/v1/docs/passive-dns-queries-1) or [Infrastructure Variance](/v1/docs/infrastructure-variance) for a more comprehensive understanding. An Indicator of Compromise (IoC) with potential to cause harm, such as a malicious IP, domain, or file hash. Publicly available data collected during domain registration or DNS updates, used to analyze domain ownership and history. Unprocessed query results in JSON format, containing detailed threat intelligence data for further analysis or integration. The date when a domain was first observed in DNS zone files, providing insight into its age and potential trustworthiness in threat intelligence analysis. The most recent date a domain appeared in zone files, indicating its ongoing presence or activity in DNS records. The timestamp when a threat intelligence feed was last refreshed with new or updated data, ensuring relevance and accuracy. A distinct data point, such as an IP address, domain, or file hash, used in threat intelligence to identify, track, or predict potential cyber threats. The duration in days between the first and most recent dates a domain or IP was listed on curated threat intelligence feeds, indicating persistence of threat activity.